Aid in bypassing DNS issue
William Warren
hescominsoon at emmanuelcomputerconsulting.com
Mon Jul 28 11:43:00 UTC 2008
Steve Bertrand wrote:
> With the time I've had, I've tried my best to keep up with every
> message related to the current issue upon us related to DNS.
>
> I am a small op, amongst many that I've met the last few days that may
> need assistance. I would like at least someone from a large operation
> to read what I've done, what my concerns are and what help might be
> provided for a scenario. If this is as big an issue as I feel it is,
> then perhaps those with resources can offer advice. If you will:
>
> I've:
>
> - exploited a legacy machine and hijacked the NS records
> - set up an NS under the phony domain
> - configured A, AAAA and MX records for the hijacked domain (example.com)
> - put in place a simple index.html file for a website
> - configured email accounts
> - you get the point...it all works
>
> Then:
>
> - made some slight changes to the latest (as of 1000hrs 080725) to the
> bailiwicked_domain.rb file to accept a new parameter 'RECURSCHK', that
> 'fixes' the problem of a consistent domain showing up in the initial
> TXT check that from what I can tell tests for recursion: (#set
> recurschk wwNN.myDdomain.com).
>
> It allows an attacker to set a lookup against a name/record that (s)he
> knows exists to get the ball rolling initially.
>
> This generally ensures that the first check of the exploit will always
> pass (at least get an affirmative response, recursive or not), but
> come under the radar of an expecting IDS filter.
>
> Once one host is exploited, then the rest of the names can be
> built/run against, well, anything of course ...unfinished, but in
> progress (I know Perl, never dealt with Ruby... a if/for/while would
> be handy).
>
> I'd like to change the initial TXT to an A, but I don't think I quite
> understand the ramifications on the grand scheme of things within the
> scope of the exploit code, unless I were to focus more time on this.
> Technically, I'm now on holidays...
>
> Anyway, if you've read this far,
>
> - my true, core name servers are as vulnerable as any name server that
> has been patched
>
> - I have clients connected to my 'upstream' (if you please)
>
> - I configured a DNS server (implementation regardless) to "FORWARD
> ONLY" to the 'upstream' DNS servers
>
> - We found that we are vulnerable, due to the fact that our 'upstream'
> DNS servers are vulnerable because they don't use port randomization
>
> - we have wholesale business clients who are directly connected to
> this 'upstream', and retrieve DNS server addresses via DHCP from
> somewhere within their access layer
>
> - the 'upstream' has made no confirmation regarding fixes after
> discussion
>
> My question:
>
> How to deal with this? It appears as though there are many that state
> "...the patching has gone down hill", but what to do when your hands
> are tied?
>
>
>
> Is there a network operations centre capable, able and willing to
> publicly claim:
>
> "if you've tried your best to tell your 'upstreams' (ISP) to fix the
> issue but they haven't, tell them to forget patching, ignore the work
> until the problem goes away, turn off recursion and forward to us,
> then patch later when you can afford some downtime"?
>
> Thank you to everyone who has already put so much time and
> determination into this issue.
>
> Steve
>
if your upstream has not fixed their issues yet..try forwarding to
opendns which IS secured against this issue until your upstream fixes
their servers.
More information about the NANOG
mailing list